Issued: September 22, 2008
Initial Registration Period: September 22, 2008 – November 3, 2008
On July 30, 2008, Nacha’s Board of Directors approved a Policy Statement on Direct Access. This policy addresses the importance of Originating Depository Financial Institutions (ODFIs) registering with Nacha their direct access relationships for ACH debit transactions, and following prudent risk management techniques including adherence to best practices for the duration of these relationships.
The Nacha Board of Directors expects that ODFIs will register their direct access relationships with Nacha, allowing Nacha to better quantify the number of, and the risk profile for, direct access relationships. Nacha will work with the ACH Operators to validate that financial institutions have registered all direct access relationships.
Nacha has established a secure website for ODFIs that includes the forms to complete the registration process. Financial institutions are required, during an initial six-week period from September 22, 2008 through November 3, 2008, to either register their current direct access relationships or acknowledging a statement that the institution does not maintain direct access relationships for ACH debit transactions.
While the Nacha Board considers registration mandatory, compliance with this policy will not be enforced as a rule until Nacha has adopted a rule regarding registration of direct access relationships.
The secure site for direct access registration is now available. Please visit to register.
Questions about this ACH Operations Bulletin should be submitted via firstname.lastname@example.org.
SECTION 1. Nacha Board of Directors Policy Statement on Direct Access
1. Why did Nacha adopt a direct access policy?
When an ODFI allows its Originators and Third Parties direct access to the ACH Operators, the ODFI and other Network participants become exposed to a variety of risks in the event of shortcomings, or even fraud, in the Originator’s or Third Party’s policies and processes. Accordingly, it is essential that an ODFI that permits direct access effectively mitigate such risks by appropriately underwriting, managing and monitoring its relationship with its customer, such as by fully utilizing ACH Operator tools that allow tracking of volume and exceptions. Regardless of the level of diligence performed by the ODFI’s direct access customers, the ODFI remains responsible for those customers and for the entities those customers introduce to the Network. Nacha is requiring registration of direct access relationships in order to better measure the extent of direct access relationships in the ACH Network and to gauge the risk profile for direct access relationships.
2. Is registration required for all direct access relationships?
Registration is only required for direct access relationships involving the origination of ACH debit transactions. This policy statement does not address a financial institution’s direct access relationships for ACH credit transactions. While ACH credit transactions can be transmitted via a direct access relationship, these relationships are not part of the registration requirement. In addition, registration is not required for correspondent/respondent relationships and third parties that transmit ACH files solely on behalf of a financial institution.
3. How is direct access defined for registration?
For purposes of registration, direct access includes the following:
(1) Originators that transmit ACH files [transactions] directly to an ACH Operator using a financial institution’s routing and transit number and settlement account; and
(2) Third Parties (either a financial institution’s Third Party Service Provider or an Originator’s Third Party Sender) that transmit ACH files [transactions] directly to an ACH Operator using a financial institution’s routing and transit number and settlement account.
For purposes of registration, direct access excludes:
(1) Financial institutions that transmit files using another financial institution’s routing number or settlement account (correspondent/respondent relationships); and
(2) Third Parties that transmit ACH files solely on behalf of the financial institution and do not have direct agreements with Originators (and are not themselves Originators).
4. Does the policy statement impose any requirements on ODFIs that currently do not have direct access relationships for ACH debit transactions?
Yes. ODFIs that currently do not have direct access relationships for ACH debit transactions are required to visit the direct access website and acknowledge a statement that they do not maintain direct access relationships at this time. ODFIs should do so during the six-week initial registration period, September 22, 2008 through November 3, 2008.
5. What will Nacha do with the information?
Nacha will use the information on direct access relationships in order to better quantify the number of, and the risk profile for, direct access relationships in the ACH Network. Nacha will work with the ACH Operators to validate that financial institutions have registered all direct access relationships. Registration information will be retained confidentially by Nacha and only reported in aggregate form.
SECTION 2. Registration Requirements for ODFIs
1. What are the responsibilities of ODFIs?
ODFIs are responsible for completing a form on Nacha’s direct access website to either:
- register their direct access relationships for ACH debit transactions with Nacha; or
- acknowledge a statement that the financial institution does not maintain any direct access relationships for ACH debit transactions.
This initial registration of direct access relationships, or acknowledgement of not maintaining a direct access relationship, should be completed during the six-week period, September 22, 2008 through November 3, 2008.
Financial institutions should then return to the direct access registration website to:
- report new direct access relationships once they are established;
- report when there is a significant change to a current direct access relationship, such as new contact information or a termination of a relationship; or
- report volume data for direct access relationships on a quarterly basis.
This registrations process is ongoing until superseded by a requirement in the Rules.
SECTION 3. Guidance for ODFIs
The Nacha Board recommends that financial institutions incorporate best practices in the following areas for their direct access relationships:
• Board Level Approval
Nacha’s Board of Directors strongly recommends that DFIs have their Board or a Board-level committee approve direct access relationships. This approval process ensures that this type of ACH activity is within the DFI’s risk parameters.
• Know Your Customer - Originators and Third Parties
DFIs should exercise due diligence to determine whether allowing a direct access relationship is appropriate with any given customer. This should include: (1) reviewing financial statements (e.g., three years worth) to check for creditworthiness, (2) obtaining and reviewing ratings from a credit service company and the Better Business Bureau, (3) understanding the type of business their customer is engaged in, and (4) knowing the types of ACH transactions that are being originated.
DFIs should approve any new business introduced by Originators or Third Parties with direct access after conducting an appropriate review. For example, DFIs should perform a risk-based review of new Originators supported by a Third Party with direct access to manage risks related to changes in volume and character of transactions.
• Adherence to the Rules
DFIs should ensure their agreements with these Originators and Third Parties address all appropriate rules provisions, including proper authorization and revocation language, and otherwise adhere to the Rules.
• Utilize Operator Risk Monitoring Tools
DFIs, along with the Originators and Third Parties, should subscribe to the risk monitoring services provided by the ACH Operators.
• Monitor Volume and Act Accordingly
DFIs should monitor origination and return volume and act accordingly if they note anything out of the ordinary, including a significant increase in origination volume or dollars as well as an atypical increase in return entries, particularly if they are for unauthorized reasons.
• Follow Regulatory Guidance Regarding Third Party Relationships
Federal banking agencies have recently released guidance on the use of Third Parties in sensitive banking areas. DFIs should remain current on all compliance standards related to the use of Third Parties for ACH origination.
SECTION 4. Attachment
Nacha Board of Directors Policy Statement on Direct Access